Wednesday, 9 January 2013

The best that can be said about the latest report on the Regulation is ...

Well well well. Viviane Reding may well have a few things to say
about data protection after all, when
she addresses people from all walks of life after they have stormed into Dublin
Castle to see her on Thursday.

As if by coincidence, the Committee on Civil
Liberties, Justice and Home Affairs has just published its proposals to amend
the draft General Data Protection Regulation. I’ve already read a number of commentaries
on the proposals, and am astonished at the speed with which so many legal
experts can read all 215 pages of the document, and take full account of each
of the 350 amendments that are proposed.

I can assure you that I have not read
them all yet – but can recommend, for those who have busy lives to lead, that
eager professionals should first turn to the explanatory statement, which can
be found on pages 209 –
215. That is all most of us need to bother with this week.

First, the good news. There’s lots of reassuring words to sooth
the nerves of the professionals who are worried about legal certainty:

“The Regulation needs to be comprehensive also in terms of
providing legal certainty. The extensive use of delegated and implementing acts runs counter to
this goal. Therefore the rapporteur proposes the deletion of a number of provisions
conferring on the Commission the power to adopt delegated acts. However, in order to provide legal
certainty where possible, the rapporteur has replaced several acts with more detailed wording in the Regulation... In other instances, the rapporteur proposes to
entrust the European Data Protection Board with the task of further specifying
the criteria and requirements of a particular provision instead granting the
Commission the power to adopt a delegated act. The reason is that in those
cases the matter relates to cooperation between national supervisors and they
are better placed to determine the principles and practices to be applied.”

And on data breach notification:

“The rapporteur proposes to extend the period within which to
notify a personal data breach to the supervisory authority from 24 to 72 hours. Furthermore, to
prevent notification fatigue to data subjects, only cases where a data breach is likely to
adversely affect the protection of the personal data or privacy of the data subject, for example in
cases of identity theft or fraud, financial loss, physical harm, significant humiliation or damage
to reputation, the data subject should be notified. The notification should also comprise a
description of the nature of the personal data breach, and information regarding the rights,
including possibilities regarding redress.”

And on consent:

“Technical standards that express a subject’s clear wishes may
be seen as a valid form of providing explicit consent.” Presumably, this allows
for people to signify their consent by continuing to browse a web site.

And on privacy iconography:

“Information to data subjects should be presented in easily
comprehensible form, such as by standardised logos or icons.”

Even a few jokes are slipped in:

“Consent should remain a cornerstone of the EU approach to data
protection, since this is the best way for individuals to control data processing activities."

Excuse me. Whenever was consent a preferred technique of establishing
that processing was legitimate, when a data controller could otherwise have relied on the legitimate interests provision?

But there are better jokes:

“In order to function, a crucial element is that DPAs, who must
be completely independent, need to be sufficiently resourced for the effective
performance of their tasks. Cooperation between DPAs will also be strengthened
in the context of a European Data Protection Board (which will replace the
current Article 29 Working Party). The rapporteur views the foreseen
cooperation and consistency mechanism among national DPAs as a huge step towards
a coherent application of data protection legislation across the EU.”

I say. What will it really take to ensure that DPAs are sufficiently
resourced? And how many Governments can really afford that, in the current economic
climate?

The second
funniest joke is:

“The rapporteur supports the aim of strengthening the right to
the protection of personal data, while ensuring a unified legal framework and reducing
administrative burdens for data controllers.”

Will these measures really reduce administrative burdens for
data controllers? Or does the report simply platinum plate a proposal that has
already been severely criticised as being unaffordable? I can’t answer this as
I have not seen a compliance cost assessment. I doubt that one has even been
prepared.

The best joke of all is:

“The rapporteur expects his proposals to form a good basis for
swift agreement in the European Parliament and negotiations with the Council
during the Irish presidency.”

If the
rapporteur’s expectation is that such a hugely complicated proposal will be
rushed through the next stage of the scrutiny process, and that it forms a good
basis for negotiations with the Council during the Irish presidency, then I’m a
banana.

I do agree,
though, that the proposal is guaranteed to deliver to MEPs who support it the
gratitude of their constituents in next year’s European elections. That is,
until the electorate realise that the burdens of paying for this uncosted
proposal will quickly fall on all European consumers. Yes, even the Greek,
Spanish, Portuguese, Italian and the French consumers.

According to the mighty Eduardo Ursturan, writing in the FFW blog: “What was
already a very complex piece of draft legislation has become by far the
strictest, most wide ranging and potentially most difficult to navigate data
protection law ever to be proposed.”

But it is Chris Pounder, the great HawkTalk blogger, wins the prize
for the most challenging summary of the day: “However, remember that the real power is with
the Council of Ministers. It what they say that goes; this report, when the
chips are down will be more or less ignored (and the drafting errors will make
this so easy to do).”

About Me

I'm Martin Hoskins, and I write this blog to offer somewhat of an irreverent approach to data protection issues. I'm not one of the "high priests" of data protection. I prefer the principles of transparency, fairness, practicality and risk-assessment over tedious technical dogma. In my view, when the law is unfair or impractical, it should be queried.
While I may, occasionally, gently criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity. My comments should never be taken to represent anyone else's views about any of the pressing issues of the day.
There is a much more serious side to my privacy consulting work, but for that you'll need to contact me at Grant Thornton UK LLP, where I'm an Associate Director, leading the UK privacy practice.
I tweet as @DataProtector.
You can contact me at:
martin.c.hoskins@uk.gt.com, or (with respect to my less serious posts) info@martinhoskins.com.